CVE-2017-10940

Name of the Vulnerable Software and Affected Versions Joyent Smart Data Center versions prior to agentsshar@1.0.0-release-20160901-20160901T051624Z-g3fd5adf

Description This issue allows remote attackers to execute arbitrary code on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system. The flaw exists within the docker API, which does not properly validate user-supplied data, allowing for the upload of arbitrary files. An attacker can leverage this to execute arbitrary code under the context of root.

Recommendations For versions prior to agentsshar@1.0.0-release-20160901-20160901T051624Z-g3fd5adf, consider disabling the docker API until a patch is available to prevent the upload of arbitrary files and mitigate the risk of arbitrary code execution. Restrict access to the docker API to minimize the risk of exploitation.